About This Architecture

Unicaja's hub-and-spoke zero-trust network architecture spans Azure subscriptions with Palo Alto NGFW inspection at the hub, connecting on-premises infrastructure via ExpressRoute and securing public ingress through Akamai WAF. Traffic flows through mandatory inspection points enforcing least-privilege access across DMZ, application, ARO Kubernetes, and shared services spokes. The design isolates workloads—Azure Functions, App Services, and a fully private OpenShift cluster—while centralizing DNS resolution and CI/CD pipelines in dedicated spokes. This architecture demonstrates enterprise-grade network segmentation, compliance-ready logging via Azure Monitor and Log Analytics, and defense-in-depth with NSGs, UDRs, and DDoS protection. Fork and customize this diagram on Diagrams.so to adapt the hub-and-spoke topology, adjust CIDR ranges, or document your own zero-trust perimeter.

People also ask

How do you design a zero-trust hub-and-spoke network in Azure with on-premises integration and mandatory traffic inspection?

This diagram shows Unicaja's implementation: a central hub VNet with Palo Alto NGFW in HA mode acts as the mandatory inspection point for all traffic between spokes (DMZ, applications, ARO, shared services) and on-premises via ExpressRoute. User Defined Routes and Network Security Groups enforce least-privilege access, while Azure Bastion, Azure Firewall, and DDoS Protection secure the perimeter.